[libvirt] [sandbox PATCH 01/11] Add virt-sandbox-image

Daniel P. Berrange berrange at redhat.com
Fri Jul 31 10:19:30 UTC 2015


On Fri, Jul 31, 2015 at 12:00:40PM +0200, Guido Günther wrote:
> On Fri, Jul 31, 2015 at 09:42:16AM +0100, Daniel P. Berrange wrote:
> > On Fri, Jul 31, 2015 at 09:15:13AM +0200, Guido Günther wrote:
> > > On Thu, Jul 23, 2015 at 03:57:27PM +0000, Eren Yagdiran wrote:
> > > [..snip..]
> > > > +def get_url(server, path, headers):
> > > > +    url = "https://" + server + path
> > > > +    debug("  Fetching %s..." % url)
> > > > +    
> > > > +    req = urllib2.Request(url=url)
> > > 
> > > This does not seem to do any certificate validation (just in case this
> > > ends up in a distro's /usr/bin/ I can already see the CVE forthcoming).
> > 
> > IIUC, with latest python2/3 urllib2 will now do certificate
> > validation by default for https urls.
> > 
> >   https://bugs.python.org/issue22417
> 
> Ahh...since last November. Thanks for pointing this out! Should we then
> at least check if python is recent enough?

Yeah, we could put a version check in there to force new enough python,
or at least print a warning if it is a known insecure version.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvir-list mailing list